These crypto detectives helped crack North Korea’s latest $1.5 billion blockchain heist

Crypto criminals can’t hide

The single largest cryptocurrency heist in history took place one day in late February, when hackers exploited system vulnerabilities in Bybit, a Dubai-based crypto exchange, siphoning off a whopping $1.5 billion in digital assets within minutes.

Bybit’s security team immediately launched an investigation that would eventually involve the FBI and several blockchain intelligence companies. Among those involved from the beginning were the experts at TRM Labs, a San Francisco-based company of around 300 that analyzes the blockchain networks which power cryptocurrency transactions to investigate—and prevent—fraud and financial crimes.

“Literally from the first minutes, we were involved,”  says Ari Redbord, the company’s global head of policy, “working with Bybit and law enforcement partners like the FBI to track and trace funds.”

The attack was soon attributed to a North Korean state-sponsored hacker organization commonly known as Lazarus Group. Lazarus has been blamed for a series of high-profile cybercrimes in recent years, including the 2014 hack on Sony Pictures Entertainment, the 2016 digital heist from the Bangladeshi central bank and, more recently, billions of dollars in digital currency thefts. TRM was among the first to attribute the Bybit attack after detecting an overlap between the blockchain resources used here and those used in Lazarus’s previous thefts. Since then, the company has harnessed its expertise in tracking crypto to keep law enforcement abreast of where the stolen funds are headed, following them from blockchain to blockchain and through clever concealment mechanisms. “We were very much built for an investigation like this,” Redbord says.

Today, TRM’s investigators probe cryptocurrency thefts, ransomware attacks, and phishing scams. They help investigate other crimes that involve digital currencies, from child pornography to drug trafficking. The company’s free, public platform Chainabuse, launched in 2022, helps people report fraud, hacking, blackmail, and other crypto-related crimes. Clients in the cryptocurrency and finance industries harness the company’s software and data about blockchain transactions to identify funds associated with criminal activity and to flag suspicious transactions. Law enforcement agencies around the world enlist TRM’s tools—and sometimes even the company’s own investigators.

Demand for such investigators is growing. TRM—which stands for Token Relationship Management—has raised about $150 million in total funding to date, from notable backers that include the venture arms of PayPal, American Express, and Citi, as well as Goldman Sachs. The investment bank led TRM’s most recent, late-stage funding round, which closed in January for an undisclosed amount, according to the research firm PitchBook.

Meanwhile, the crypto ecosystem is likely to experience positive growth throughout 2025, according to a recent analysis by PitchBook. So too will crypto crimes: Illicit operations took $40 billion worth of crypto last year, according to Chainalysis, another blockchain security company—far more than the roughly $10 billion in venture capital funding that flowed into the above-board crypto sector in the same span, and more even than crypto’s 2022 VC funding peak of $29.8 billion.

Roles like TRM’s will become more urgent if the government continues to abdicate its regulatory duties. Last month, the Trump administration shuttered a Justice Department unit that targeted crypto-related crimes. Yet crypto sits at the nexus of so many of the president’s domestic interests—fentanyl, counterterrorism, border security, and fraud. For TRM and rivals like Chainalysis and Elliptic, all of which have already won millions of dollars in federal contracts, the future is bright.

From NFTs to crypto fraud

One paradox of Bitcoin, Ethereum, and other cryptocurrency systems is that while they’re widely thought to provide anonymity, with users exchanging funds based not on real names and physical addresses, but on so-called digital addresses—unique and lengthy strings of alphanumeric characters that serve as a given account’s sole identifier—the records of those transactions are still public. A common ledger logs every payment, tying each transaction to those that came before, all the way back to the tokens’ minting.

And once information becomes known about one transaction and the people or organizations behind the addresses involved, it becomes possible to trace those funds back and forth through time and from address to address. That allows clever observers to follow the money and deduce where funds came from, who other counterparties may be, and which transactions likely involved some of the same parties, like how investigators might piece together who used an anonymous burner phone based on the numbers they called.

It’s a limitation to anonymity that Bitcoin’s pseudonymous creator Satoshi Nakamoto alluded to in the groundbreaking paper describing cryptocurrency’s underpinnings. And it’s one that computer scientist Sarah Meiklejohn and colleagues at the University of California San Diego showed to be a reality in a widely cited 2013 paper that demonstrated concretely how Bitcoins could be grouped by likely common owner—and how those owners could sometimes be identified from a database of known addresses. And that database, Meiklejohn and colleagues showed, could be assembled by a determined researcher simply doing ordinary business on the blockchain and recording the addresses used by the various vendors, exchanges, and other parties they transact with.

While not the first company to run with Meiklejohn’s ideas on tracking the transfer of cryptocurrencies—rival Chainalysis, for one, launched in 2014—TRM offered the first-ever platform compatible with the Ethereum blockchain, widely used both for its own currency and assets like non-fungible tokens, or NFTs. At the time, “all of these blockchain intelligence companies had built their entire data architecture on the Bitcoin blockchain,” Redbord says, “because Bitcoin was entirely synonymous with cryptocurrency, and vice versa.”

TRM began in 2018 as CEO Esteban Castaño and CTO Rahul Raina’s effort to capitalize on NFTs’ trendiness. After demoing an easy-to-use analytics tool they’d built to help understand NFT market movement to a friend with his own blockchain-based startup, Castaño and Raina decided to pivot. Their creation could be its own product with wide appeal—the same blockchains which track NFTs also manage cryptocurrencies—Castaño says that while “nobody had ever gotten excited about any of the other NFT applications we were building,” this was different. Describing their friend and his employees’ reactions, he says, “it was the first time they’d seen on-chain activity visualized in a way they could understand.”

Talking to potential customers soon revealed a critical use case beyond basic customer analytics: understanding the flow of funds on the blockchain to avoid unwittingly participating in money laundering. A now-pivoted TRM publicly launched in 2019 with a tool it planned to sell to blockchain businesses looking to comply with anti-money-laundering regulations. But a more proactive use case soon arose that suggested even bigger opportunities.

A friend reached out to say he’d fallen victim to a cryptocurrency hack and wanted to know if TRM could help find the missing money. With the company’s tool, “we could see in clear daylight where the money was,” Castaño says. “So we got in touch with the Secret Service, we got in touch with the FBI, and that was the initial pull into that market.”

By the time TRM Labs emerged from Y Combinator, in 2019, fighting and preventing fraud and other crime had become its primary focus.

‘They’re threat hunters’

Many TRM senior leaders and investigators honed their expertise over years in law enforcement, working at police agencies across the world. Redbord, the global policy head, served for more than a decade as a U.S. federal prosecutor and spent two years working on money laundering and national security at the Treasury Department before joining the company. Chris Janczewski, head of global investigations, previously served as a special agent at IRS Criminal Investigations, where he was instrumental in recovering cryptocurrency stolen in the infamous 2016 hack on the Bitfinex exchange; in the time between theft and recovery, the digital coins’ value had ballooned to $3.6 billion, making it the largest federal government seizure in history. The laptop Janczewski used in the investigation is now in the Smithsonian’s permanent collection.

“They’re threat hunters,” Redbord says of TRM’s investigators. “Our terror financing expert is out there communicating on password-protected Telegram channels with mujahideen, who will send him a crypto address. He’ll take that address and label it terror financing, and then we use AI and machine learning to build on that attribution.”

With investigators around the globe, the company is able to track illicit funds around the clock. “Things like Bybit, you can’t have just one investigator doing that,” says TRM senior investigator Jonno Newman.

Being based in Australia, in a time zone close to that of North Korea, made it easy for Newman to help out in the early days of the still-ongoing Bybit investigation. It also helped that he had previously led TRM’s investigation into an earlier hack attributed to North Korea, in 2023, where more than $100 million in cryptocurrency was reported stolen from thousands of blockchain addresses on the digital coin storage tool Atomic Wallet.

Then, Newman says, the hackers began obfuscating the stolen funds’ origins and ultimate destination, shuffling their plunder between different virtual addresses and cryptocurrencies. They relied on so-called mixers, which hold and combine coins from multiple sources before disbursing them to new addresses, and cross-chain bridges, which let users convert funds from one cryptocurrency to another. Hackers would later use a similar playbook in moving the Bybit funds.

As a result of TRM’s automated fund tracker across bridges, a service it has offered since 2022—an industry first, CEO Castaño says—investigators were able to closely monitor where the Atomic Wallet funds headed, tipping off law enforcement as needed about opportunities to freeze or seize them. “It was early mornings and late nights trying to keep up with the laundering process.” says Newman of the investigation. The former head of South Australia Police’s cybercrime training and prevention unit and author of a recent children’s book about the crypto world, he says “it becomes this almost cat-and-mouse game about where they are going to go next.”

TRM’s products at least make the game playable. “When you’re following the money, it used to be that you would reach a dead end when the money went to a different blockchain,” Castaño says. “But with TRM, tracing across blockchains is seamless.”

Cautious optimism for blockchain security

Not everyone believes TRM’s tech can fully deliver on its promise, at least from a legal perspective. J.W. Verret, an associate professor at George Mason University’s Antonin Scalia Law School who has testified as an expert witness in crypto-related matters, cautions that most testimony based on blockchain forensics tools should be viewed as potentially fallible, “They are useful for developing leads at the start of an investigation,” he says, but can be overly relied on like “the long history of junk forensic science—handwriting analysis, bitemark analysis, stuff that’s all kind of later proven to be unreliable.” For its part, Verret says, TRM Labs offers tools that are less prone than some of its competitors to false positives because the company is more careful about how it establishes associations between blockchain addresses and criminal activity.

Meanwhile, last September, TRM announced the creation of the T3 Financial Crime Unit, a partnership with the organizations behind the Tron blockchain and Tether stablecoins to combat the use of those technologies for money laundering. By January, TRM said the partnership had helped freeze more than $100 million in USDT—Tether’s stablecoin pegged in value to the U.S. dollar—found to be tied to criminal activity. That figure has since more than doubled, with the total now including nearly $9 million linked to the massive Bybit heist.

“In the seven months since launch, T3 has worked with law enforcement to freeze over $200 million linked to illicit activity ranging from terror financing to money laundering to fraud,” Castaño says. “And when you think about how much crime is financially motivated, adding a $200 million expense to criminals’ balance sheet is a huge win for deterring crime.”

But even as TRM jockeys for pole position in a competitive industry, cybercriminals continue to develop new methods of stealing and hiding funds through complex blockchain machinations, often by taking advantage of crypto efficiency gains that make it easier to move more money faster. That will only continue as criminals deploy AI to automate scams and potentially even money laundering—and investigators use new AI and machine learning techniques, along with ever-growing blockchain datasets, to track them more efficiently and coordinate with law enforcement to stop them and seize their funds.

And since blockchain ledgers last forever, crypto criminals are risking more than perhaps they realize, according to Castaño. “You’re betting not only that TRM and law enforcement won’t be able to identify your illicit activity today, but that we won’t be able to do it in the future,” he says. “Because the record is permanent.” And that’s the most powerful advantage investigators possess.